Encrypted Data Bag for Postfix SASL Authentication

I recently had a chance to sit down and implemented an encrypted data bag in my personal environment. This should translate nicely to anyone that wants to use encrypted data bags in their environment.

The use case

I send mail out through an SASL authenticated SMTP server. My local network has a postfix SMTP relay that connects to the SASL auth relay. I’m using the Opscode postfix cookbook with the sasl_auth recipe, since I wrote it originally for this use case.

The postfix::sasl_auth recipe is applied in an “operations master” role. The attributes for configuring the user and password for SASL are attributes. Relevant lines from the role:

Encrypted Secrets

Chef’s data bags are a great way to store infrastructure wide, but not role or node specific information. Encrypted data bags are a great way to store sensitive information, like passwords. Here are the steps I followed to get the encrypted data bag set up.

First, I created the secret key file that is used to encrypt the contents of the data bag item. This file will not be stored in source control, as it is highly sensitive, and only gets copied to the systems that need it.

openssl rand -base64 512 > ~/.chef/encrypted_data_bag_secret

Next, I created the actual data bag.

knife data bag create secrets

Next I created the data bag item using the secret key. This is created directly on the Chef Server, rather than a plain text file.